cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

The Identity Management Norm and the Challenge We Face.

Level 11

Network Access of Old

I remember back in the days when I worked at the phone company.  We had a security desk right inside the door and at the counter was a desktop that had the company directory on it.  What didn’t make a lot of sense to me was that the Ethernet port was on the front of the wall, not behind the counter.  Anyone could walk into the office and unplug the corporate directory PC and plug their own in.  DHCP would give them an address and they were on the LAN.  Sad thing is that people did.  I would come walking in from lunch and often see some random guy copping a squat on the floor with his laptop connected.  Back they we really didn’t have a clear way of preventing access to the network.

What We Used to Do

Prior to 802.1X we did have a few solutions but they had their limitations.  One way we could control things was by using a VLAN Membership Policy Server (VMPS).  With a VMPS the MAC address would dictate which VLAN you were assigned to.  If you were not listed in our database you would not get a VLAN assignment on the LAN.  The drawback here was that you had to manage the MAC database.  If an employee had a NIC failure and the NIC were replaced, we would have to remember to update the database.  This happened a lot back when the laptops had a PCMCIA NIC with the flimsy dongle.

Another way we would control network access was with Port Security.  This of course only worked if your switch supported the feature.  If it did you had a few ways to handle business.  You could enter the MAC that should be connected to each port and then limit the number of MAC addresses to 1.  This didn’t scale well either.  We could sticky learn the MAC which helped, but again, scalability issues.  So even though we had a few solutions, nothing was really a great fit.  Fast forward to today and 802.1X is the clear fit.  While we had 802.1X back then, or at least we started to see it, client support was limited.

Network Access Today

Today we still don’t have all the answers.  We primarily use 802.1X and EAP to authenticate and authorize a user on a switch port or on a wireless SSID.  This method of controlling access works well because we have much better support for EAP in our native supplicants today.  For some of the more advanced EAP methods we have clients like Cisco Anyconnect.  Using 802.1X and an external authentication server scales better than the previous solutions discussed in this article.  Along with the scalability comes a great deal of context data that’s useful in determining who is connecting, where they are connecting, how they are connecting and so on.  From a policy perspective this is fantastic.  We have a level of visibility today that we didn’t have back in my early days.  Still, the solution isn’t perfect and there are still some things we need to address, like all that log data.

Where Do the Logs Go?

Your identity management solution is but one source of log information that you’re receiving.  You have the logs from the switches, APs, and Firewalls where your VPN is terminating.  There’s a handful of logging solutions out there that can handle the volume we see on most networks today.  The key to consuming log data is not just being able to store it and handle the shear amount of data being received, but its also being able to use the data in a meaningful way.  So what are some of the things you’d need to identify?  A good solution would help identify users on the network that are doing things that aren’t exactly normal.  When you consider the prevalence of  Bontnets and DDoS attacks it would be advantageous to implement a solution that would identify if your assets are participating in these types of attacks.

The attacks here are just a few examples.  There are many more.  But I’ll leave this post with two questions:

  1. What are you implementing as your Identity Management Solution?
  2. How are you using the log data from that solution and other network devices to mitigate attacks and minimize unauthorized activity on your network?
12 Comments
MVP
MVP

SIEM applications are one way to look for attacks and unauthorized activity as well as log file tools such as splunk where you can index and build queries to look for patterns or events in near time.  Of course these are living tools that need tweaks as things change over time.

There are some really good questions and ideas in this article.  We are in the process of defining our next generation Identity Management Solution to cover the entire enterprise.  I look forward to the on-going discussion.

We're using an evolving deployment of NAC that leverages ACI, FireSIGHT/ASA, and ISE.

Ultimately every log ends up in Splunk, and is reviewed/managed by a separate IS Security team, who will work in combination with the Network and End User Support Teams.

I see challenges with managing the "allowed hardware" databases and user accounts, particularly with mobility and ensuring only corporately owned/managed assets are allowed to connect--while at the same time some limited access for BYOD is allowed.

I don't see a great way of implementing it all without increasing support staff levels.  Particularly when we will simultaneously begin limiting access to the Guest WLAN and filtering its content and tracking and determine appropriate actions and responses for users to defy policy.

MVP
MVP

Great post! It brings back a lot of memories.

Level 20

Two factor authentication on top of whatever method you use with an audit trail is pretty rock solid I'd say.  If you are good with review of logs and SIEM you're even in better shape!  We have the full blown splunk and I gotta say... it's not going to do much out of the box for you... for windows event logging I've used GFI events manager which works because it has all of the native windows security event logging parsing already done for you.  I'm considering SW LEM now potentially if it can prove it's also capable of parsing the windows security event logs out of the box without me having to write a ton of custom queries... I just don't have time for that.

Level 14

Great perspective.  We have come a long way.

Level 12

very good idea........

MVP
MVP

its interesting that WiFi actually has much better basic security than a wired network.

At least pretty much every AP allows mac address filtering etc

Simple solution to stop drive by plugins would be to remove all public plugs and use wifi

Way cheaper than a huge NAC system,

Level 17

Awesome Blast of the past reminder!   I wish I had more insight into the logging of users and access - but info sec and account admin take care of that bag.  Though regular audits on account use might prevent an old user from coming back and using a service account to gain access.

Level 11

The allowed hardware can be a challenge but using ISE to control the BYOD onboarding can certainly make it a little less painful.  If the policies are built right you can easily identify the BYOD devices vs. the corp assets.  You may have some tweaking of the Profiler policies involved but that's not a bad thing.

Level 11

Good point. 

Level 11

That is interesting that although physical security was prevalent for the building network security was overlooked from the physical aspect.  Good article.

About the Author
Brandon Carroll, CCIE #23837 is the CEO of California based Global Config Technology Solutions, Inc, Tech Blogger, and Cisco Press Author. With over 15 years in IT, a few certifications, and a love for technical education you'll find him at Cisco Live, on the Packet Pushers Podcast, Twitter, and Google+.